GRC Tuesdays: Business Continuity – It’s Not Just About Insurance, It’s About Assurance
I was discussing with a Chief Risk Officer recently about continuity of business in case of a crisis and his reaction surprised me. When asking what processes and procedures were in place, his reply was — “We have full insurance coverage. That’s plenty enough.”
I’m sorry, but I beg to differ. To me, this is far from being sufficient. Insurance will indeed cover some of the losses incurred, but will insurance help you protect your reputation and what your customers think about you? Will it protect your employees in case of a major incident on a remote premise?
As you can imagine, my personal answers to all of this is no.
Of course you do need insurance, as this will be one of the risk transfer approaches for those risks that you can’t completely mitigate, but I believe that business continuity plans, crisis and emergency responses, and associated processes are paramount in protecting a business.
It’s not just about insurance, it’s about assurance that your business is here for the long term.
Integrate Business Continuity in Your Regular GRC Process
As I frequently mention in these blogs, business context change all the time. As a result, I often recommend to review regularly the risks and their current levels. This also applies to all the risk mitigation measures: action plans in progress, preventative controls, and so on. And of course policies including the business continuity plans.
There’s nothing worse than discovering when you’re in the middle of a crisis that your continuity plan doesn’t cater for the major consequences of a risk. Let’s take the example of civil unrest close to one of your remote facilities. If your plan is to evacuate your employees to another location, but you don’t know that this new location is now also in the unrest area, then you’re endangering your employees simply by triggering the very plan that is supposed to protect them.
Test Your Continuity Plans, but Also Audit Them
Testing continuity plans is actually the only veritable way of ensuring that they will work as designed in case of a crisis.
Nevertheless, as for any process, it can continuously be improved. I’m a strong advocate of internal audit reviewing the plans during their audits. This way, not only will they be able to validate the adequacy of a plan, but also, since they review different business units, they might be able to suggest improvements to make the plan even more efficient.
Quite some time ago now, an auditor shared with me one of his experiences. When reviewing the continuity process of a company, they noticed that the IT continuity plans and the personnel plans weren’t coordinated. As a result, the backup site for the employees wasn’t the same as the one defined by IT. In theory, they had a complete end-to-end business continuity process, it’s just that it couldn’t work in reality. And that was only discovered when audit reviewed all the plans together.
Benchmark It against Best Practices
Business continuity is a well-established practice and its members are part of structured professional organizations. Sharing your plans with other peers in the same area or industry can only be profitable for all. For you, first of all, as you will be able to get first hand feedback from others sharing the same concerns, but also for others, as they might be able to enhance their own processes based on your expertise.
To me, business continuity is not a lonely exercise. Business continuity leaders need to pull in experts from the entire company to design an efficient plan and to do so they can rely on their risk management and internal control colleagues. But also on their internal auditors that can act as true business advisors. Finally, I would strongly suggest engaging with the business continuity community. Yes, business continuity can be a competitive advantage, but when business viability is at stake, the more assurance you get, the more prepared you can be.
Would you agree with this analysis? Who else would you engage in this process?
I look forward to reading your thoughts and comments either on this blog or on Twitter (@TFrenehard)!